Yahoo secretly built software in 2015 that let it search the incoming emails of its hundreds of millions of users on behalf of the U.S. government, Reuters reported Tuesday.
The tech titan’s previously unreported use of custom software to eavesdrop on its users was done without the knowledge of its chief security officer and despite the wishes of several senior executives, two former employees told Reuters on condition of anonymity.
Rather, CEO Marissa Mayer secretly conceded to a surveillance order issued by U.S. intelligence officials and directed Yahoo’s engineers to build an application that searched all its users’ arriving messages for an unspecified string of characters, according to Reuters.
“Based on this report, the order issued to Yahoo appears to be unprecedented and unconstitutional,” said Patrick Toomey, a staff attorney with the American Civil Liberties Union. “The government appears to have compelled Yahoo to conduct precisely the type of general, suspicionless search that the Fourth Amendment was intended to prohibit.”
Yahoo’s security team discovered the software in May 2015 within weeks of its installation and initially thought the company had been hacked, the sources told Reuters. Alex Stamos, then its chief information security officer, resigned the following month after learning the decision was made behind his back, and reportedly told his employees that a software bug could have let hackers access hundreds of millions of Yahoo user’s saved emails.
Only days after admitting more than 500 million accounts were compromised as the result of a massive 2014 data breach, the latest revelations added fuel to a fire already flamed by concerns over the company’s security practices.
“They secretly scanned everything you ever wrote, far beyond what law requires. Close your account today,” tweeted Edward Snowden, the former National Security Agency contractor who leaked details about the government’s surveillance programs in 2013.
“The Fourth Amendment implications are staggering,” tweeted Andrew Crocker, a staff attorney with the Electronic Frontier Foundation, a California-based digital rights group.
The email-scanning software was built by Yahoo last year after either the NSA or FBI served the company with a classified U.S. government directive, according to the Reuters report. Either agency could have requested user data under the Foreign Intelligence Surveillance Act (FISA), and Yahoo unsuccessfully challenged an eavesdropping order served by the NSA in 2007 before the U.S. Foreign Intelligence Surveillance Court; previously classified documents unsealed in 2014 revealed that Yahoo was threatened with being fined $250,000 for each day it didn’t comply with that secret order.
But while investigators routinely request user data from internet companies like Yahoo and others, surveillance experts told Reuters that the automated scanning of accounts may mark the first time an American company has agreed to search all of its users’ messages as they arrived.
It wasn’t clear what sort of information was being sought by investigators, or if the search helped the government accomplish their goal, Reuters reported.
“Yahoo is a law abiding company, and complies with the laws of the United States,” Yahoo told Reuters in a statement, declining to comment further.
In its most recent transparency report, Yahoo said it received 4,460 requests for user data from U.S. investigators during the second half of 2015, disclosing content 1,098 times. As noted in a footnote, however, those figures don’t take into account requests approved by the FISA court.
In responding to FISA requests, Yahoo said it may potentially provide authorities with any content its users “create, communicate and store on or through our services. This could include, for example, words in an email or instant message, photos on Flickr, Yahoo Address Book or Calendar entries and similar kinds of information.”
“It is deeply disappointing that Yahoo declined to challenge this sweeping surveillance order, because customers are counting on technology companies to stand up to novel spying demands in court. If this surveillance was conducted under Section 702 of the Foreign Intelligence Surveillance Act, this story reinforces the urgent need for Congress to reform the law to prevent dragnet surveillance and require increased transparency,” Mr. Toomey of the ACLU said in a statement Tuesday.
• Andrew Blake can be reached at ablake@washingtontimes.com.
Please read our comment policy before commenting.